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SECURITY MANAGEMENT IN DATA 
PROCESSING NETWORKS 



Technical Field 

5 

The present invention generally relates to security management in 
data processing networks and particularly relates methods, 
apparatus, and computer program products for security management 
in a node of a data processing network. 

10 

"q Background 

O 

U1 A data processing network typically comprises a plurality of data 
yi processing node interconnected by a communication networks. Each 

.p data processing node typically comprises a processor such as a 

f% 

microprocessor, a memory , an input /output (I/O) interface for 

m 

.ft! connecting the node to the network, and bus interconnecting the 
processor, memory and interface. Data processing networks can 
predefined or alternatively come into being on an ad-hoc basis. 
20 

Ad -hoc networks are typically formed between a plurality of 
mobile data processing nodes such a wireless data processing 
devices. Such data processing devices typically communicate with 
each other in an ad -hoc network by radio frequency, infra red, or 

25 similar wireless communication medium. Mobile ad-hoc networks 
typically do not rely on any fixed communication infrastructure. 
Instead, nodes in such networks communicate in a self -organized 
manner, relaying messages originated by other nodes. These 
networks work properly provided that the participating nodes 

30 collaborate in routing and forwarding. However, nodes in such 



n - 
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networks may choose not to collaborate. It would be desirable to 
detect and isolate such nodes, thus making it unattractive for 
participating nodes to deny collaboration. An example of a mobile 
ad-hoc network is the Terminodes network described in [1] . In the 
5 Terminodes network, devices act as nodes and terminals 

simultaneously and forward packets destined for other nodes. 
Another example of a mobile ad -hoc network is the MANET network 
described in [2] . A routing protocol associated with the MANET 
network is the Dynamic Source Routing (DSR) protocol. The 
10 Terminodes network is a wide area, self organized network. The 

|4 MANET network is not such a network. It would desirable to 

fit 

□ provide incentives for nodes in such networks to collaborate with 

SI 

pi each other in the interests of improving flow of messages within 
% the network. 

I* 

fg As indicated in [3] , there are many information security issues 
H associated with data networks, including those of authentication, 
„;| integrity, confidentiality, availability, access control, and 
jfy non- repudiation. Security in mobile ad-hoc networks cannot be 
20 readily addressed in the same way it is addressed in 

infrastructure based networks because mobile ad -hoc networks are 
vulnerable to attacks which are not experienced in 
infrastructure -based networks. Additional security issues 
associated with mobile ad-hoc networks will now be briefly 
25 discussed. 

Although not generally an issue for infrastructure based 
networks, it is desirable in mobile ad hoc networks for there to 
be an incentive for a node to forward messages that are not 
30 destined for itself. Nodes in such networks can be greedy, 
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selfish, and economic in the forwarding of messages. Attacks on 
such networks include: incentive mechanism exploitation by 
message interception, copying, or forging; incorrect forwarding; 
and, bogus routing advertisements. If a node does not forward 
5 messages, other nodes might not forward either, thereby denying 
service within the network. A lack of collaboration with other 
nodes and exploitation of the willingness of other nodes to 
collaborate is an example of a boycotting behavior pattern. A 
node may choose not to collaborate with other nodes, exploit the 
10 willingness of the other nodes to collaborate, and then restrict 

H» access of those other nodes to its own resources. Such a node 

O 

O thus deprives other nodes of its resources while simultaneously 

If* exploiting the resources of the other nodes. 

W 
ii ;i 

As indicated in [4] , routing information can be at least equally 

is 

r| important as message content. It can be desirable therefore to 
!jJl protect the privacy of routing information in the interests of 

It ir'5 

N maintaining secrecy in the whereabouts of a given node. This 
fU however prevents the use of routing information by intermediate 
20 nodes in the network. It is desirable for routes in a network to 
be established and advertised based on a selected protocol. 
However, by diverting traffic, nodes can work against this. For 
example, to obtain information for malicious behavior, a node can 
attract traffic to itself or to colluding nodes by sending false 
25 routing advertisements. There are many different techniques for 
creating a false route that exhibits properties of a good route 
and is subsequently preferred over genuine routes. Such false 
routes can be made to remain longer in routing caches. To avoid 
raising suspicion, nodes can keep copies of received messages as 
30 the messages are forwarded to the intended destination. It will 
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be appreciated that much information for formulating network 
attacks can be gathered in this manner. For example, denial of 
service attacks can be achieved by injecting false routing 
information or by otherwise distorting routing information to 
5 partition the network or to introduce excessive loading in the 
network. A node can also forward messages to colluding nodes for 
analysis, disclosure and the like. Similarly, a node may choose 
not to forward messages at all, thereby boycotting 
communications . 

10 

ig The limited infrastructure and organization within ad-hoc 
JjJ networks offers enhanced opportunities for network attacks. 

Without proper security, it is possible to gain various unfair 
IJ1 advantages by misbehavior, including: better service than 

15 cooperating nodes, monetary benefits by exploiting incentive 

iH 

J* measures or trading confidential information; saving power by 

W 

fli selfish behavior; and, preventing others from obtaining adequate 

SI 

p service. 

20 A node exhibiting one or more of the undesirable behavior 

patterns herein before described will be herein after referred to 
as a malicious node. 



Described in [5] is a scheme for authenticating users by 
25 "imprinting" according to the analogy with ducklings 

acknowledging the first moving object they see as their mother, 
but enabling nodes to be imprinted several times, in t6] , 
threshold security is employed, permitting several corrupted 
nodes or collusion between such nodes. In [7], network security 
30 based on distance vector protocols is described. As indicated in 
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[8], incentives for nodes to collaborate via a so-called nuglet 
serving as a per-hop payment in each packet have been suggested 
to ensure message forwarding. In [9] , increased throughput in 
mobile ad-hoc networks is achieved by complementing DSR with a 
5 watchdog for detection of malicious behavior and a path rater for 
trust management and routing policy* This permits nodes to route 
around malicious nodes. However, a problem associated with the 
scheme relates to scalability, because every node in the network 
keeps a rating of every other node. This is not suitable for 
10 "open world" networks such as the aforementioned Terminodes 
Hj network because the memory requirements associated with 
0 maintaining ratings would be too burdensome. The scheme relieves 

yi malicious nodes that do not collaborate from the burden of 

s p 

forwarding messages for others, whereas messages from the 
15 malicious nodes are forwarded without complaint. Thus, malicious 

£ - 

0 nodes are effectively rewarded for misbehavior and thus 

rij 

ft! encouraged to misbehave. Although the overall network throughput 

is increased, the failure to collaborate is undesirable. It would 
*W be desirable for malicious behavior and non- collaboration in the 
20 network to be punished. Detection of malicious behavior alone is 
insufficient. It would be preferable for the detection to cause a 
reaction in other nodes that makes malicious behavior 
disadvantageous . 

25 Summary of the Invention 

In accordance with the present invention, there is now provided a 
method for security management in a node of a data processing 
network comprising a plurality of nodes, wherein each node 
30 maintains topology data representing the network, the method 
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comprising: evaluating an event received by the node from a 
neighboring node in the network to determine if the event 
satisfies a predetermined security test; and, if the event fails 
the security test, modifying an entry associated with the 
5 neighboring node in the topology data maintained by the node, and 
sending an alarm notification indicative of the security failure 
to other nodes of the network* 

The sending step may include sending the alarm notification to 
10 all other nodes in the network. The evaluating of the event 
received from the neighboring node may comprise: counting the 

O number of occurrences of the event in a predetermined time 

01 

Iff interval; incrementing a rating of the neighboring node if the 

liS number of occurrences exceeds a predetermined event occurrence 

k.. S 

15 threshold; and, determining that the event fails the security 
p test if the rating of the neighboring node exceeds a 

ru 

ry predetermined rating threshold. A preferred embodiment of the 
S'S .... 

Ji present invention comprises: receiving an alarm notification 

\4 

!U generated by another node in the network, the received alarm 

20 notification being indicative of an event caused by a further 
node in the network; evaluating the alarm notification received 
generated by the other node to determine if the other node 
satisfies a predetermined trust test, and, evaluating the event 
indicated by the alarm notification if the other node passes the 

25 trust test to determine if the event indicated by the alarm 

notification satisfies the security test; and, if the event fails 
the security test, modifying an entry associated with the event 
causing node in the topology data maintained by the node, and 
sending another alarm notification indicative of the security 

30 failure to any neighboring nodes. The evaluating of the event 
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indicated by the alarm notification may comprise: counting the 
number of occurrences of the event indicated by the alarm 
notification in a predetermined time interval; incrementing a 
rating of the event causing node if the number of occurrences 
5 exceeds a predetermined event occurrence threshold; and, 

determining that the event fails the security test if the rating 
of the event causing node exceeds a predetermined rating 
threshold. 

10 Viewing the present invention from another aspect, there is now 
;^ provided a computer program product comprising a computer 
13 readable medium having embodied therein computer readable program 
111 code means for causing a processor of a node in a data processing 
in network comprising a plurality of nodes to perform a method for 

ra security management in the node, wherein each node maintains 

IP topology data representing the network, the method comprising: 

\ y 

ry evaluating an event received by the node from a neighboring node 

in the network to determine if the event satisfies a 
fy predetermined security test; and, if the event fails the security 
20 test, modifying an entry associated with the neighboring node in 
the topology data maintained by the node, and sending an alarm 
notification indicative of the security failure to any other 
nodes of the network. 

25 Viewing the present invention from yet another aspect, there is 
now provided apparatus for security management in a node of a 
data processing network comprising a plurality of nodes, wherein 
each node maintains topology data representing the network, the 
apparatus comprising control logic configured to evaluate an 

30 event received by the node from a neighboring node in the network 
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to determine if the event satisfies a predetermined security 
test, to modify an entry associated with the neighboring node in 
the topology data maintained by the node if the event fails the 
security test, and to send an alarm notification indicative of 
5 the security failure to other nodes in the network. 

Viewing the present invention from still another aspect, there is 
now provided a data processing node for connection to a data 
processing network comprising a plurality of nodes, wherein each 
10 node maintains topology data representing the network, the data 

H s processing node comprising: a memory for storing the topology 

@ 

ig data; and, security management control logic connected to the 
S memory and configured to evaluate an event received by the node 

from a neighboring node in the network to determine if the event 
W satisfies a predetermined security test, to modify an entry 

m associated with the neighboring node in the topology data stored 

fit 

fll in the memory if the event fails the security test, and to send 
2 an alarm notification indicative of the security failure to other 
RJ nodes of the network. 
20 

Viewing the present invention from a further aspect, there is now 
provided a data processing network comprising a plurality of data 
processing nodes, wherein each node maintains topology data 
representing the network, each of the data processing nodes 

25 comprising: a memory for storing the topology data; and, security 
management control logic connected to the memory and configured 
to evaluate an event received by the node from a neighboring node 
in the network to determine if the event satisfies a 
predetermined security test, to modify an entry associated with 

30 the neighboring node in the topology data stored in the memory if 
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the event fails the security test, and to send an alarm 
notification indicative of the security failure to any other 
nodes of the network. 



5 in a preferred embodiment of the present invention, trust 
relationships and routing decisions are made based on the 
experienced, observed, or reported message routing and forwarding 
behavior of other nodes. This is analogous to a biological system 
described in [10], in which there are "suckers, "cheats" and 
10 "grudgers". The suckers always help others, the cheats have 
yk others help them but fail to return the favor, and the grudgers 
SJ start by helping all others, but subsequently only helps those 
W that return the favor. The grudgers are found to prevail over 
&> time. 

Ml 



In a particularly preferred embodiment of the present invention, 
TO storage and processing requirements in each node of the network 

Pfi 

%l are minimized by each node employing a localized neighborhood 
p watch for generating a warning of malicious behavior based on 
20 observation of neighboring nodes, and by each node sharing with 

the other nodes information relating to malicious behavior 

experienced. 



Brief Description of the Drawings 

25 

Preferred embodiments of the present invention will now be 
described, by way example only, with reference to the 
accompanying drawings, in which: 

30 Figure 1 is a block diagram of a data processing network; 
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Figure 2 is a block diagram of a data processing node of the 
network; 

5 Figure 3 is a flow diagram corresponding to security management 
control logic of the node; 

Figure 4 is another flow diagram corresponding to security 
management control logic of the node; 

10 

gg Figure 5 is yet another flow diagram corresponding to security 

£3 

Jg management control logic of the node; 

in 

U\ Figure 6 is a block diagram of security management control logic 



15 of the node; 

ft 

W Figure 7 is a block diagram of a monitor of the control logic; 

p 

ill 

Figure 8 is a block diagram of a trust manager of the control 
20 logic; 

Figure 9 is a block diagram of a reputation manager of the 
control logic; 

25 Figure 10 is a block diagram of a path manager of the control 
logic; 



Figure 11 is a block diagram of a block diagram of the data 
network showing flow of routing requests; 

30 
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Figure 12 is a block diagram of a block diagram of the data 
network showing flow of routing replies; 

Figure 13 is a block diagram of a block diagram of the data 
5 network showing flow of data messages and an ALARM message; 

Figure 14 is a block diagram of the data network showing flow of 
an acknowledgment and rerouting of the data messages; and, 

10 Figure 15 is a state diagram of the control logic. 

f| Detailed Description of the Preferred Embodiment 

51 

5 nl 

Referring first to Figure 1, an example of a data processing 

y\ 

H; ii5 network 10 comprises a plurality of interconnected data 

p processing nodes 20, here labeled A, B, C, D and E . in operation, 

up: s 

m 

fij the nodes 20 communicate messages with each other via the network 
10 . It will be appreciated that the network 10 can be a 

mi 

fU distributed network, local area network, wide area network, 
20 campus network, wired network, wireless network, or other type of 
network • In a preferred embodiment of the present invention, the 
network is in the form of a mobile ad-hoc network. Similarly, it 
will be appreciated that each of the data processing nodes may be 
embodied in any one of a range of different forms, such as a 
25 mobile computer, personal digital assistant, desk top computer, 
mobile phone or the like. 

Referring now to Figure 2, each of the nodes 20 comprises a 
processor 30, an input/output (I/O) subsystem 50, and a memory 
30 60, all interconnected by a bus subsystem 40. The I/O subsystem 
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50 comprises at least one user input device such as a keyboard, 
keypad, mouse, microphone, or the like. Similarly, the I/O 
subsystem 50 comprises at least one user output device such as a 
display, loudspeaker, printer or the like. In addition, the I/O 
5 subsystem 50 comprises a network interface device for connecting 
the node 20 to the network 10. The processor 30 comprises a 
central processing unit such as a microprocessor or the like. The 
memory 60 includes a random access memory and a read only memory. 
In operation, the processor 30 executes computer program 
10 instruction code stored in the memory 60. The computer program 
[| code includes operating system software 80, application program 
P software 90, and networking software 100, for execution in 
Iff conjunction with operating system software 80. The networking 
gi software 100 may be embedded in the operating system software 80. 
IS The application program software 9 0 operates on data stored in 
f| the memory 60. The user can control execution of the application 
ry software 90 via the I/O subsystem 50. The networking software 100 
gj facilitates communication of application software and data in 
^ message form between the memory subsystem 60 and other nodes in 
20 the network 10 via the I/O subsystem 50. To facilitate 

communication with other nodes 20 in the network 10, topology 
data 110 containing entries indicative of the nodes 20 of the 
network together with paths and links between them is also stored 
in the memory 60 and maintained by the networking software 100. 
25 The networking software 100 comprises computer program code which 
when executed by processor 30, establishes security management 
control logic within the node 20. It will be appreciated that 
control logic, in this embodiment of the present invention, is 
embodied in computer program code resident in the memory 60 and 
30 executable by the processor 30. However, it will be equally 
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appreciated that, in other embodiment of the present invention, 
the control logic may be at least partially implemented by 
hardwired logic circuitry in the node 20. 

5 Referring now to Figure 3, the security management control logic 
is configured to evaluate at 210 an event received at 200 by the 
node 20 from a neighboring node 20 in the network 10 to determine 
at 220 if the event satisfies a predetermined security test. If 
the event fails the test, an entry associated with the 
10 neighboring node in the topology data 110 maintained by the node 
Q is modified and at 240 an alarm notification indicative of the 
g) security failure is sent to any other neighboring nodes. The 

tn 

S modification of the topology data entry corresponding to the 
Jj neighboring node may involve flagging the neighboring node or 
J5 paths involving the neighboring node such that paths involving 
Pi tne neighboring node are subsequently avoided or selected only in 
.13 extreme circumstances. Alternatively or additionally, the 
jW neighboring node may be flagged such that that messages 

subsequently received from the neighboring node are handled with 
20 greater care and scrutiny. In some embodiments of the present 

invention, the alarm notification may be sent to all neighboring 

nodes . 



In the network 10, the nodes 20 most likely to detect misbehavior 
are those in the vicinity of a misbehaving node. In some cases, 
the source and destination of a message can also detect 
misbehavior based on unusual responses received. 

Referring to Figure 4, in a preferred embodiment of the present 
invention, the control logic is configured such that evaluating 
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the event received from the neighboring node comprises counting 
at 300 the number of occurrences of the event in a predetermined 
time interval. If, at 310, the number of occurrences exceeds a 
predetermined event occurrence threshold, the rating of the 
5 neighboring node is incremented at 320. If at 330 the rating of 
the neighboring node exceeds a predetermined rating threshold, 
the control logic 100 determines at 340 that the event fails the 
security test. Otherwise the event is passed at 350. 

10 Referring to Figure 5, in a preferred embodiment of the present 

■q invention, the control logic is additionally configured to 

g receive at 400 an alarm notification generated by another node in 

m the network 10 and indicative of an event caused by a further 

yi node in the network 10. At 410, the control logic evaluates the 

.15 received alarm notification to determine if the other node 

|| satisfies a predetermined trust test. If, at 410, the control 

flJ logic finds that the other node is trusted, and thus passes the 

P trust test, the control logic evaluates the event indicated by 



5 * the alarm notification to determine if the event indicated by the 
20 alarm notification satisfies the security test. If at 430 the 
event indicated by the alarm notification fails the security 
test, the control logic modifies an entry corresponding to the 
event causing node in the topology data 110 maintained by the 
node and, at 450, sends another alarm notification indicative of 
25 the security failure to any neighboring nodes. The modification 
of the entry corresponding to the event causing node may be 
substantially as herein before described with reference to Figure 
3. 
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In a particularly preferred embodiment of the present invention, 
the control logic is configured such that the evaluation of the 
event indicated by the alarm notification is performed in a 
similar manner to that herein before described with reference to 
5 Figure 4 in that it comprises: counting the number of occurrences 
of the event indicated by the alarm notification in a 
predetermined time interval; incrementing a rating of the event 
causing node if the number of occurrences exceeds a predetermined 
event occurrence threshold; and, determining that the event 
10 indicated by the alarm notification fails the security test if 
U the rating of the event causing node exceeds a predetermined 
S| rating threshold. 



jfc Referring now to Figure 6, in a particularly preferred embodiment 
if of the present invention, the control logic comprises a monitor 
ig 500, a reputation manager 520, a path manager 530, and a trust 

W manager 510, all interconnected. 

fu 

O 

fu In operation, the monitor 500 performs a neighborhood watch 
20 function in which it observes local neighbor nodes for the 
purpose of detecting misbehavior such as intrusion, misuse of 
collaboration incentives, and denial of services. When 
misbehavior is detected, behavioral conditioning is performed by 
the nodes neighboring the malicious node. 

25 

As indicated earlier with reference to Figures 3 and 5, each node 
20 in the network 10 acts upon its own observations and upon 
ALARM messages received from other nodes 20 of the network 10. In 
the interests of collaboration, each node 20 also informs other 
30 nodes 20 in the network 10. 
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Referring now to Figure 7, each neighboring node 20 participating 
in a neighborhood watch detects misbehavior by the next node on a 
source route by listening to the transmission of the next node or 
5 by observing routing protocol behavior. The listening and 
observing functions are performed in each such node 20 by the 
monitor 500. Specifically, the monitor 500 receives ALARM 
messages from other nodes in the network 10 and detects events 
originating in neighboring nodes. The monitor 500 comprises a 
10 watch table 540 for retaining copies of sent messages for event 
p detection. By keeping a copy of a message, listening to the 
^ transmission of the next node, and comparing the retained copy 
WJ with the transmission, any content change indicative of an event 
Hi is detected. Types of misbehavior thus detected include: no 
p forwarding of control messages or data; unusual traffic 

M attraction, such as advertising of many good routes and 

IjJ 

Hi advertising routes very fast so that they are deemed good routes; 
13 rerouting to avoid a broken link despite there being no error 
* f observed; lack of error messages despite an error having been 
20 observed; unusually frequent routing updates; and, tampering with 
the header in either control or data messages. 

As will be described shortly, for such types of misbehavior, 
thresholds are set that may not be exceeded by a node. There are 

25 two neighbor types for each source route: the node 20 preceding 
the observed node 20 in the source route and any node 20 on hop 
away from the observed node. These two neighbor types have 
different capabilities. The neighbor node 20 on the same path as 
the observed node 20 has additional route information from which 

30 it can detect whether a message was forwarded to the next hop in 
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the route. Routing protocol behavior on the other hand can be 
observed by any neighbor within a one hop radius. 

As indicated in [11] , it is desirable in an ad-hoc network for 
5 trust management to be both distributed and adaptive. The trust 
manager 510 handles incoming ALARM messages received by the 
monitor 500 from other nodes 20 in the network 10. 

Referring to Figure 8, the trust manager 510 comprises a trust 
10 table 550 in which the trust manager 510 assigns a level of trust 
|j to other nodes in the network 10. The trust levels are recorded 
W in a trust table 550. ALARM messages received from other nodes in 
Iff the network 10 by the monitor 510 are assigned the level of trust 
01 associated with the node originating the ALARM message in the 
15 trust table 550. The trust manager 90 employs a trust function to 
|l calculate the trust levels recorded in the trust table 550. ALARM 
ftj messages are forwarded by the trust manager 510 provided that an 

gj acceptable level of trust is associated with the originating node 

pi 

m the trust table 550. The trust manager 510 thus filters 
20 incoming ALARM messages are filtered according to the level of 
trust assigned to the reporting node. The level of trust is 
employed by the node 20 when deciding whether to provide or 
accept routing information, whether to accept a node as part of a 
route, and in whether to take part in a route originated by 
25 another node. 

In a particularly preferred embodiment of the present invention, 
the trust manager 500 employs a trust function for routing and 
forwarding which is similar to that used for key validation and 
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certification in Pretty Good Privacy (PGP) encryption. Further 
details of PGP can be found in [12] . 

Referring now to Figure 9, the reputation manager 520 comprises a 
5 rating table 560, In operation, the reputation manager 520 

performs the function herein before described with reference to 
Figure 3. Specifically, the reputation manager 520 stores in the 
rating table 560 a list of nodes of the network 10 with a rating 
against each of the listed nodes. As herein before described, the 
10 rating assigned to a given node is changed when there is 
jjjg sufficient evidence that the node is misbehaving. This test is 
|f realized by determining when the number of events received by the 
Ml reputation manager 520 in connection with the malicious node 
Hi exceeds a predetermined level within a predetermined time 
p interval. An event may be detected by the monitor 500 as 
p occurring in a neighboring node. Alternatively, an event may be 

flf received by the monitor 500 in an ALARM message generated by 

y 

p another node based on detection by that other node of misbehavior 

ffj 

m a further node. The rating associated with the malicious node 
20 is then changed in the rating table 560 by the reputation manager 
520 according to a rating function. The reputation manager 520 
employs the rating function to assign different weights to the 
events depending on the source of the event. Events detected by 
the monitor 500 are assigned the greatest weight. ALARM messages 
25 based on observations of other nodes are assigned lower weights. 
Specifically, ALARM messages in the form of reported experiences 
from other nodes are assigned weight based on the level of trust 
associated with the reporting node in the trust table 530 
maintained by the trust manager 510. it will be appreciated then 
30 that there is cooperation between the reputation manager 520 and 
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the trust manager 510. Once the weight of an event has been 
determined by the reputation manager 520, the rating 
corresponding to the malicious node in the rating table 560 is 
modified accordingly, if the rating of the malicious node 
5 deteriorates beyond a predetermined tolerance threshold, the 
reputation manager 520 notifies the path manager 530. 

By employing local rating tables maintained at each node 20 of 
the network 10, centralized rating is avoided. The nodes 20 in 
10 the network 10 can include in routing requests indications of 
dl malicious nodes to be avoided in routing based on the contents of 
jj rating tables 560 individually maintained. Nodes 20 in the 
%! network 10 may also exchange rating tables 560 with each other. 

m,yt 

m Furthermore, nodes 20 in the network 10 may look up senders of 
Jl5 messages in the rating table 560 before sending anything to them. 
J in particularly preferred embodiments of the present invention, 
: y genuinely malicious nodes and false accusations are effectively 
P distinguished from each other by associating time-out periods of 

it"; 'i 

! U 

entries in the rating tables 560 and trust tables 550, after 
20 which the entries are reset. The time out also prevents the 
tables 550 and 560 becoming too large, thereby facilitating 
scalability of the network 10. 

Referring now to Figure 10, the path manager 530 comprises the 
25 topology data 110. In operation, the path manager 530 stores 
available forwarding paths in the topology data 110. Paths are 
deleted if malicious nodes are detected therein by the reputation 
manager 520. On eliminating a malicious node from the topology 
data 110, the path manager 530 also instructs the trust manager 
30 510 to issue an ALARM message. 
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Each ALARM message comprises indications of routing protocol 
violation type, the number of occurrences detected, whether the 
message was originated by the sender, the address of the 
5 reporting node, the address of the observed node, and the 

destination address. As herein before described, ALARM messages 
are sent in response to malicious behavior exceeding a threshold 
value. By way of example, Figures 11 to 14 show flow of messages 
and data from route discovery to detection of malicious behavior 

10 and subsequent rerouting in the network 10 herein before 

p described with reference to Figure 1. 

1 

|j Referring to Figure 11, a route is discovered for a path from 
111 node A to node E. Specifically a route request is generated at 
15 node A and sent to adjacent nodes B and C at 201 and 202. The 

route request is forwarded by node B to nodes C, D, and E at 203, 

ry 

RJ 204, and 205 respectively. The request is also forwarded by node 

SI 

Cj C to node D at 206. 

m 

20 With reference to Figure 12, node E issues a route reply message 
which is sent via node B to node A at 211 and 212 respectively. 
Similarly, node D, which has a path to node E, also sends a route 
reply message back to node A via node C at 214 and 213 
respectively. The reply message contains the reverse source route 

25 to the destination node E. 

Turning to Figure 13, node A chooses the route to node E via 
nodes C and D based on metrics associated with route being 
preferable, according some predetermined routing criteria, to 
30 those associated with the route via node B. Data messages are now 
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passed from node A to node E via nodes C and D as indicated at 
221 and 222 respectively. In this example however, during the 
data flow, node C detects that node D is behaving maliciously. On 
detection in node C that the malicious behavior of node D has 
^ 5 exceeded a predetermined threshold, node C issues an ALARM 
message to node A as indicated at 223. 

Referring now to Figure 14, node A acknowledges the ALARM message 
received from node C as indicated at 233 and, based on the ALARM 
10 reroutes the data flow to the node E via node B. 

a 

13 

gj It is desirable for each node 20 in the network 10 to be able to 

authenticate ALARM messages received from other node 20 in the 
I* network 10, in the interests of maintaining trust in the network 
If 10 and to prevent the nodes 20 from denouncing each other. Such 
jk authentication may be achieved by the certification and 

JfJ validation function provided in PGP. It will be appreciated that 

i.y 

%l other authentication schemes may be used. 

■fr, ;; 

20 As indicated earlier, in operation, each node 20 in the network 
20 monitors the behavior of its next hop neighboring nodes. 

Referring now to Figure 15, in a preferred embodiment of the 
present invention, the monitoring is performed by the monitor 500 
25 in each node 20 to detect suspicious network events. 

At initialization, the monitor 500 changes from an initial state 
320 to a monitoring state 321. If a suspicious event is detected 
by the monitor 500, the monitor 500 informs the reputation 
30 manager 520 as shown at 301. 



CH920010040US1 



22 



On receipt of notification of the event, the reputation manager 
520 evaluates the notification at 322. If the notification is 
found to be significant for the node 20, then, as shown at 303, 
5 the reputation manager 520 updates an event count at 323. 

Otherwise, the control logic returns to the monitoring state 321 
as shown at 302. The significance threshold can be defined for 
different types of node 20 according to, for example, the 
security requirements of the different types of node. 

10 

g If the event count is updated, then the reputation manager 520 

pi! 

|| checks the updated event count to determine whether the event has 

JjJ occurred more often than a predefined event threshold. The event 

111 threshold is set sufficiently high to distinguish deliberate 

Jl5 malicious behavior from simple coincidences such as collisions. 

m 

ft If the occurrence threshold is exceeded, then, as shown at 304, 
Ill the reputation manager 520 updates the rating of the node that 
© caused the event in the rating table 160. Otherwise, the control 

logic returns to the monitoring state 321 as shown at 313. At 
20 324, the reputation manager checks the rating now assigned to the 
node that caused the event in the rating table 160. If the rating 
is below a predefined tolerance limit, then, at 306, the 
notification is relayed to the path manager 530. Otherwise, the 
control logic returns to the monitoring state 321 as shown at 
25 305. 

On receipt of the notification at 325, the path manager 530 
modifies the topology data 110 to remove all routes containing 
the intolerable node. The path manager 530 relays the 
30 notification to the trust manager 510 as shown at 307. On receipt 
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of the notification, the trust manager 510 may send an alarm 
message describing the event as shown at 326. The control logic 
then returns to the monitoring state 321 as shown at 308. 

5 When the monitor 500 receives an ALARM message from another node, 
it passes the message on to the trust manager 510 as shown at 
309. On receipt of the message, the trust manager 510 evaluates, 
at 327, the source of the message. If the source is at least 
partially trusted, then, at 311, the message is passed into an 
10 ALARM table which is thus updated as shown 328. If the source is 
§ not trusted, then the control logic returns to a monitoring state 
|j as shown at 310. If there is sufficient evidence that the source 
J| reported in the message is malicious, then, at 312, the trust 
Wj manager 90 sends the message to the reputation manager 520 where 
15 the event described is evaluated for significance, number of 
Sj occurrences and accumulated reputation as herein before 
g described. Otherwise, the control logic returns to the monitoring 
p state 321 as shown at 314. The sufficiency of the evidence 

in. z 

depends on the level of trust associated with the source of the 
20 message. It will be appreciated that several partially trusted 
nodes may report the same event. The partial trusts assigned to 
each may combine to equal or exceed that of a fully trusted node. 
In those circumstances, a particularly preferred embodiment of 
the present invention treats the event reported by the partially 
25 trusted node as if it had been reported by a single fully trusted 
node. 

Embodiments of the present invention have been herein before 
described with reference to an ad hoc data processing network. 
30 However, it will be appreciated that the present invention is 
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equally applicable to many other forms of data processing 
network, data communications, and distributed data processing 
functions. The term data processing as used herein should 
therefore be construed accordingly. Indeed, it will be 
5 appreciated that many changes may be made to the embodiments of 
the present invention described herein without departing from the 
scope of the invention. 
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